Debian PHP 5 Security Issues

Debian 5 php5 package has serious security issues as follows:

ADVERTISEMENTS

To prevent Denial of Service attacks by exhausting the number of available temporary file names, the max_file_uploads option introduced in PHP 5.3.1 has been backported.

Due to the nature of this new option a default limit has been set to 50, hoping it is sensible enough to not to cause disruptions on existing services. The value of this new limit can be changed in the php.ini file.

If you installed the php5-suhosin extension there was a limiting mechanism in place already. In this case you may want to make sure the new limit imposed by PHP itself is not smaller than suhosin’s.

  1. CVE-2009-2687: DoS via malformed JPEG images with invalid offset fields (Closes: #535888)
  2. CVE-2009-2626: remote memory disclosure via ini_* functions (Closes: #540605)
  3. CVE-2009-3292: multiple missing checks processing exif image data
  4. CVE-2009-3291: improper handling of nul character in CommonName fields of X509 certificates
  5. max_file_uploads: prevent, by limiting, temporary files exhaustion DoS
  6. Add an entry to debian/NEWS about the new per-request file uploads limit

How Do I Fix This Problem?

Type the following command:
# aptitude full-upgrade
Restart / reload web server:
# /etc/init.d/apache2 restart
OR
# /etc/init.d/lighttpd restart

🐧 If you liked this page, please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
2 comments… add one
  • Raphael Geissert Dec 12, 2009 @ 5:33

    You should add a reference to the original advisory and make clear that part of the text was quoted, instead of making it look as your own.

  • hemsida Apr 18, 2011 @ 19:15

    Nice article. I’ll give it a try
    Thanks for sharing.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.